Hospital Equipment Manufacturing Company
Health scare: Much hospital equipment uses software that can be vulnerable to viruses. PR Newswire. Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent ...
Hospital Equipment Manufacturing Company
Global Edition About News & Analysis Magazine Lists Events More Newsletters Support Contact Us Emtech MIT MIT Enterprise Forum Connect Select your localized edition:
Tom SimoniteMenu News & Analysis Magazine Lists Events About More Features Views Multimedia Discussions Topics Popular: BIG PROBLEMS CLIMATE ENGINEERING IMPACT-SENSING CAP UNIVERSE SIMULATION BOMB-SNIFFING MICE A123 PROBLEM Current Issue Past Issues MIT News Magazine International Editions Business Reports Special Publications Subscriptions » Innovators Under 35 Disruptive Companies Breakthrough Technologies Nominations » Upcoming Events Partner Events Emtech MIT MIT Enterprise Forum Our Team Join Us Press Room Awards Advertise Permissions Contact Us Customer Support » Support Contact Us Emtech MIT MIT Enterprise Forum Connect Login / Join Popular New Incompatible browser: Your browser does not meet modern web standards.
Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.
While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.
Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.
In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.
As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.
"I find this mind-boggling," Fu says. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.
"It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data," Olson said during the meeting, referring to high-risk pregnancy monitors. "Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there's someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction."
The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.
Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. "We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can't be used, or they become compromised to the point where their values are adjusted without the software knowing," he said. He explained that when a machine becomes clogged with malware, it could in theory "miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm."
Often the malware is associated with botnets, Olson said, and once it lodges inside a computer, it attempts to contact command-and-control servers for instructions. Botnets, or collections of compromised computers, commonly send spam but can also wage attacks on other computer systems or do other tasks assigned by the organizations that control them (see "Moore's Outlaws").
In September, the Government Accountability Office issued a report warning that computerized medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue. The GAO report focused mostly on the threat to two kinds of wireless implanted devices: implanted defibrillators and insulin pumps. The vulnerability of these devices has received widespread press attention (see "Personal Security" and "Keeping Pacemakers Safe from Hackers"), but no actual attacks on them have been reported.
Fu, who is a leader in researching the risks described in the GAO report, said those two classes of device are "a drop in the bucket": thousands of other network-connected devices used for patient care are also vulnerable to infection. "These are life-saving devices. Patients are overwhelmingly safer with them than without them. But cracks are showing," he said. (Fu was Technology Review's Innovator of the Year in 2009.)
Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed. "Maybe that's a failing on our part, that we aren't trying to raise the visibility of the threat," Olson said. "But I think we all feel the threat gets higher and higher."
Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel's problems to be widely shared. "This is a very common profile," he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. "This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this," he said.
In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA's 2009 guidance, regulations make system changes difficult to accomplish: "In order to go back and update the OS, with updated software to run on the next version, it's an onerous regulatory process."
Olson said that in his experience, GE Healthcare does offer software patches and guidance on keeping devices secure, but that not all manufacturers have the same posture. He added that the least-protected devices have been placed behind firewalls. But to do that with all a hospital's software-controlled equipment would require more than 200 firewalls—an unworkable prospect, he said.
John Halamka, Beth Israel's CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that "could not be patched due to [regulatory] restrictions." He said, "No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network."
He added: "Many CTOs are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements."
Fu says that medical devices need to stop using insecure, unsupported operating systems. "More hospitals and manufacturers need to speak up about the importance of medical-device security," he said after the meeting. "Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there."34 comments.
I’m MIT Technology Review's chief correspondent, keeping an eye most often on the world of information and communication technologies—and asking my kids when I don’t understand what’s going on. Recent projects have taken me to Kenya to write about mobile-phone-based health initiatives, and...
By altering the craft of how music is recorded, technology is actually renewing the social, ephemeral aspects that are experienced most fully in live performance.Windows 8: Does Microsoft’s Split-Personality OS Make Sense?Developers Use a Workaround to Make iPhone Apps Do MoreMicrosoft's Plan to Bring About the Era of Gesture ControlPreparing for Cyber War, Without a MapExplore these tags:
Twitter Facebook YouTube LinkedIn Views from the Marketplace are paid for by our key partners. All Views from the Marketplace have been approved by our team.
Starting today, you will see the results of our commitment to a "digital first" strategy—reporting on technologies that matter, and explaining how they will change our lives. Our new look and feel also marks the return to our rich heritage of design.
News and Analysis Home Popular Today's News Blogs Photo Galleries Videos Back to Top MIT Technology Review identifies important new technologies — deciphering their practical impact and revealing how they will change our lives.
Twitter Facebook LinkedIn YouTube StumbleUpon RSS Mobile MIT Technology ReviewEthics Statement Terms of Service Privacy © 2012 v1.12.10.
Tom SimoniteMenu News & Analysis Magazine Lists Events About More Features Views Multimedia Discussions Topics Popular: BIG PROBLEMS CLIMATE ENGINEERING IMPACT-SENSING CAP UNIVERSE SIMULATION BOMB-SNIFFING MICE A123 PROBLEM Current Issue Past Issues MIT News Magazine International Editions Business Reports Special Publications Subscriptions » Innovators Under 35 Disruptive Companies Breakthrough Technologies Nominations » Upcoming Events Partner Events Emtech MIT MIT Enterprise Forum Our Team Join Us Press Room Awards Advertise Permissions Contact Us Customer Support » Support Contact Us Emtech MIT MIT Enterprise Forum Connect Login / Join Popular New Incompatible browser: Your browser does not meet modern web standards.
Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.
While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.
Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.
In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.
As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.
"I find this mind-boggling," Fu says. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.
"It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data," Olson said during the meeting, referring to high-risk pregnancy monitors. "Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there's someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction."
The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.
Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. "We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can't be used, or they become compromised to the point where their values are adjusted without the software knowing," he said. He explained that when a machine becomes clogged with malware, it could in theory "miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm."
Often the malware is associated with botnets, Olson said, and once it lodges inside a computer, it attempts to contact command-and-control servers for instructions. Botnets, or collections of compromised computers, commonly send spam but can also wage attacks on other computer systems or do other tasks assigned by the organizations that control them (see "Moore's Outlaws").
In September, the Government Accountability Office issued a report warning that computerized medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue. The GAO report focused mostly on the threat to two kinds of wireless implanted devices: implanted defibrillators and insulin pumps. The vulnerability of these devices has received widespread press attention (see "Personal Security" and "Keeping Pacemakers Safe from Hackers"), but no actual attacks on them have been reported.
Fu, who is a leader in researching the risks described in the GAO report, said those two classes of device are "a drop in the bucket": thousands of other network-connected devices used for patient care are also vulnerable to infection. "These are life-saving devices. Patients are overwhelmingly safer with them than without them. But cracks are showing," he said. (Fu was Technology Review's Innovator of the Year in 2009.)
Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed. "Maybe that's a failing on our part, that we aren't trying to raise the visibility of the threat," Olson said. "But I think we all feel the threat gets higher and higher."
Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel's problems to be widely shared. "This is a very common profile," he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. "This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this," he said.
In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA's 2009 guidance, regulations make system changes difficult to accomplish: "In order to go back and update the OS, with updated software to run on the next version, it's an onerous regulatory process."
Olson said that in his experience, GE Healthcare does offer software patches and guidance on keeping devices secure, but that not all manufacturers have the same posture. He added that the least-protected devices have been placed behind firewalls. But to do that with all a hospital's software-controlled equipment would require more than 200 firewalls—an unworkable prospect, he said.
John Halamka, Beth Israel's CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that "could not be patched due to [regulatory] restrictions." He said, "No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network."
He added: "Many CTOs are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements."
Fu says that medical devices need to stop using insecure, unsupported operating systems. "More hospitals and manufacturers need to speak up about the importance of medical-device security," he said after the meeting. "Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there."34 comments.
I’m MIT Technology Review's chief correspondent, keeping an eye most often on the world of information and communication technologies—and asking my kids when I don’t understand what’s going on. Recent projects have taken me to Kenya to write about mobile-phone-based health initiatives, and...
By altering the craft of how music is recorded, technology is actually renewing the social, ephemeral aspects that are experienced most fully in live performance.Windows 8: Does Microsoft’s Split-Personality OS Make Sense?Developers Use a Workaround to Make iPhone Apps Do MoreMicrosoft's Plan to Bring About the Era of Gesture ControlPreparing for Cyber War, Without a MapExplore these tags:
Twitter Facebook YouTube LinkedIn Views from the Marketplace are paid for by our key partners. All Views from the Marketplace have been approved by our team.
Starting today, you will see the results of our commitment to a "digital first" strategy—reporting on technologies that matter, and explaining how they will change our lives. Our new look and feel also marks the return to our rich heritage of design.
News and Analysis Home Popular Today's News Blogs Photo Galleries Videos Back to Top MIT Technology Review identifies important new technologies — deciphering their practical impact and revealing how they will change our lives.
Twitter Facebook LinkedIn YouTube StumbleUpon RSS Mobile MIT Technology ReviewEthics Statement Terms of Service Privacy © 2012 v1.12.10.
No comments:
Post a Comment